Python cgi

[jbrewer]

I'm currently writing my first CGI script (in Python), and I keep
getting an error I don't know how to address. I'm not sure if this is
a Python or Apache error, but I suspect it's an Apache config thing.
Anyway, in my code I need to upload a file, so in my HTML there's a
line like

File to upload <input type="file" name="myfile">

and in my Python code I try to read the file following the Python docs
and the Python Cookbook like

form = cgi.FieldStorage()
fileitem = form["myfile"]
if fileitem.file:
# file upload details...
else:
# print error stuff to page

The problem is that the "if fileitem.file" test is never true. After
some debugging I discovered that this is because fileitem is returned
as type MiniFieldStorage instead of FieldStorage, which is described as
"Like FieldStorage, for use when no file uploads are possible." There
are other fields in the form that are read just fine. Does anyone know
why no file uploads would be possible? I know very little about
configuring Apache, unfortunately.

Also, I need to run an external program with my CGI script using
something like os.system with flags from input forms, which is a major
security risk. Is it simply enough to test for flag.isalnum() or
should I do more to prevent random programs from being run? I should
also do some minimal DOS protection as well, so information on how to
do that simply would be appreciated as well.

Some system info:
Fedora Core 3
Apache 2.0.53
Python 2.3.4

Thanks,
Jeremy

 

[Mitja Trampus]

I'm currently writing my first CGI script (in Python), and I keep
getting an error I don't know how to address. I'm not sure if this is
a Python or Apache error, but I suspect it's an Apache config thing.

I suspect it's neither
Make sure your HTML form looks like
<form method="post" enctype="multipart/form-data" ...etc,
e.g. action="foo.py">

 

[Mike Meyer]

Also, I need to run an external program with my CGI script using
something like os.system with flags from input forms, which is a major
security risk. Is it simply enough to test for flag.isalnum() or
should I do more to prevent random programs from being run? I should
also do some minimal DOS protection as well, so information on how to
do that simply would be appreciated as well.

Map the input data through a dictionary:

flags = dict(longflag = '-l', verboseflag = '-v', ...)
comflags = [flags[flag] for flag in flags if form[flag].value]
os.system(mycommand, *comflags)

or words to that effect. The critical thing is that data from over
the net never goes into the command, it's just used to look up values
in the dictionary, which provides strings you know are safe to pass to
the command.

The downside is that the client can only use flags your code knows
about. Of course, that's also an *upside*.

<mike

 

[jbrewer]

I added enctype="multipart/form-data" to the <form> tag, and that
seemed to solve it. Thanks.

Jeremy